The thievery of a moveable hard drive from a worker of the Alaska Department of Health and Social Services (DHSS) possibly revealed the ePHI of about 2,000 persons. After an inquiry by the HHS Office for Civil Rights (OCR), an agreement has been achieved and the DHHS should pay the HHS $1.7 million for the HIPAA Safety Law breaches.
The U.S. Division of Health and Human Services’ Office for Civil Rights was warned to the violation when the Alaska DHSS informed the hard drive thievery. All health care companies should present a statement of data safety violations affecting over 500 people to the HHS Administrator Sebelius governed by Health Information Technology for Economic and Clinical Health (HITECH) rules (Minor violations should be informed yearly).
A mass media declaration should also be made to warn possible victims and Violation Notice Laws require all people to be communicated and warned of the safety violation to let them take action to safeguard their finances as well as identities.
The inquiry disclosed many of non-compliance problems and insufficient policies and processes to safeguard the electronic health info of its Medicare recipients. The safety weaknesses revealed by the OCR must have been spotted in a risk examination, and the lack of vulnerabilities and safeguards made it obvious that this essential process had not been carried out.
The OCR found shortfalls in the risk management plans, moveable devices having ePHI were not protected and media and device controls had not been applied. Its safety workforce had also not had the needed teaching on data safety and was for that reason not completely conscious of its duties under the HIPAA Security Law. The HIPAA Security Rule needs all covered entities to apply strong security measures as well as include the technical, administrative and physical precautions to defend patient and worker health info. Companies should also abide by the HIPAA Privacy rule which was initiated to make it simpler for patients to gain access to their data and also defend it and limit access.
The agreement is the 2nd highest to date as well as reveals the quantity of breaches exposed by the OCR and it’s the first time a monetary fine has been applied to a state organization. This HIPAA fine sends a message to all bodies covered by HIPAA rules, both public and private, that violating rules will incur monetary fines and the OCR is strictly policing obedience.
As per Leon Rodriguez, OCR Director, data violations involving moveable storage devices can easily be avoided. “Covered entities should perform a comprehensive and full risk assessment as well as have in place important access controls to protect portable devices and hardware.”
Alaska Division of Health and Social Services should also obey an action strategy to bring its procedures and policies up to date with existing legislation and those procedures and policies should be regularly revised and updated. To check progress, a statement on current compliance efforts should also be regularly presented to the OCR.
